Cybersecurity research fund accused of protectionism

The European Commission has earmarked €450 million to fund companies working on cybersecurity, in a bid to slash the growing number of attacks on private firms and governments.

Estimates from the Commission point to annual damages worth up to €500 billion resulting from technology security attacks worldwide.

Under a new agreement backed by the EU executive, over 100 companies pledged to pay into a fund for cybersecurity research. Combined with Commission funds from its Horizon 2020 programme, the group predicts it will set aside €1.8 billion over the next three years.

But some people involved in the security fund have ruffled feathers by arguing that companies from outside of Europe shouldn’t be allowed to join.

“If the Commission spends EU citizens’ tax money then it should be invested in EU IT companies and not be used to increase the revenue of US or Asian IT companies,” Udo Helmbrecht, director of the EU cybersecurity agency ENISA, told euractiv.com.

ENISA has 84 employees specialised in technology security who will give training sessions and pitch in technical know-how to help companies that receive funds under the programme.

One Commission official involved in the funding scheme insisted that companies will have to fit Horizon 2020 criteria by having a legal base in an EU member state or one of the other countries listed in the programme rules. Companies headquartered only in the United States, China, Japan or South Korea cannot receive Horizon 2020 funds.

But some in the tech industry were angered by the calls to keep out non-European companies.

“There’s a certain mindset in Europe where protectionism is seen as a good thing,” said Paul Meller, spokesman for DigitalEurope, a trade association that represents several large companies from outside Europe, including Google, IBM and Microsoft.

EU countries diluted new rules regulating information-sharing on cybersecurity breaches, a top European Commission official said today (26 April), which made it impossible to monitor hackers’ assaults on member states’ critical infrastructure.

American tech companies IBM and Hewlett-Packard both submitted requests to join the cybersecurity fund, according to Luigi Rebuffi, who is fielding applications to the group.

Rebuffi said that while any company can sign on to join, he wants the programme to help home-grown European firms develop better security technology.

“European companies don’t have the same market spread as American companies or others. We really tried to support the European companies to grow and become competitive,” he said.

European aviation manufacturers Thales and Airbus have already joined the fund, as well as German software company SAP and engineering giant Siemens.

The fund’s €1.8 billion investment goal is a “conservative figure”, Rebuffi told EURACTIV. He said the companies will “try to support those areas where the EU is a leader” when securing research funding, including in industrial manufacturing, aeronautics, energy, finance and health.

The new funding programme highlighted the tense relationship between the Commission and ENISA, which has buckled under pressure in recent months as the Greece-based agency gets ready to take on an expanded workload.

ENISA will receive security breach reports from national governments under the first EU-wide cybersecurity law, set to go into effect in 2018. The agency has pushed for a budget increase—which is currently capped at €11 million annually—because Helmbrecht says he can’t afford to hire new staff in some major research areas.

The Commission is due to review ENISA by 2018, but one top official close to the review told EURACTIV that the agency won’t be seeing a budget increase, despite plans for more EU cybersecurity policies.

EXCLUSIVE / Europe’s cybersecurity agency has admitted it is unprepared for the advent of the internet of things, lacking the money and expertise to meet the challenges posed by the much hyped move towards digitally connected devices.

Background

An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.

The European Commission shortly after proposed a directive with measures to ensure harmonised network and information security across the EU.

Member states and the European Parliament agreed on the directive in December 2015, which will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”

The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.

All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.